SPECIAL REPORT

SPECIAL REPORT:

Trends in
HMI/SCADA
How advanced systems are
simplifying operators ability
to respond to what matters.
Sponsored by

www.controlglobal.com

TABLE OF CONTENTS

Wanted: Better designed systems for operators

A lasting plan for managing alarms

Visible data means operations excellence

13

Too many alarms? Its time for SuperSCADA!16

Understanding and minimizing HMI/SCADA 

18

system security gaps

Special Report: Trends in HMI/SCADA

www.controlglobal.com

Wanted: Better designed

systems for operators
Operators responding to abnormal situations need better designed systems.
The challenge is to not inundate the operator while being sure to wake them up.
By John Rezabek

onsultants focusing on operator effectiveness have been known to draw some

inspiration from military aircraft designs, which incorporate a lot of graphical
depictions of flight and combat variables on their cockpit heads-up displays.

The present generation of operator graphics uses some of these elements, often hiding
or eliminating numerical values and incorporating retro panel board faceplates, animated bar graphs and dials. But when I pitch these ideas to the boss, he has a straightforward rebuttal: Do we expect our operators to be fighter pilots? Thats a very succinct
way of saying, jazzy new graphics aside, we dont rely on operators for life-or-death
split-second judgments and actions, like one would a pilot in combat. In fact, most
HAZOPs, layer of protection analyses (LOPAs) and alarm philosophies specify allowing
10 minutes for an operator to respond to take credit for an operator intervention. Some
companies require a lot more than 10 minutes, or not at all! Our operators are rocks,
one HAZOP leader told me.
While operators arent supposed to be ready to unleash a Sidewinder missile and shoot
down the enemy in a fraction of a second, they still benefit from a keen awareness of
the state of the process. Most process phenomena are taking place inside opaque piping, vessels and machinery; instrumentation is the only way anyone has a notion of
whats happening. The measurements and indications we deliver to operators monitors
or panel boards constitute their eyes and ears. In the view of ISA 18.2-2009/IEC 62682,

Special Report: Trends in HMI/SCADA

www.controlglobal.com

the situational awareness we provide

want the operator to get three alarms

is supposed to be optimizedfor clarity,

for the same malfunction. But taking

accuracy and consistencyto ensure that

away alarms (and redundancy) means the

operators can intervene and prevent the

remaining best indication needs bullet-

process from entering the upset state.

proof reliability if we expect it to alert an

But what the guidelines tidy concentric

operator who has hundreds or thousands

diagram from section 5.3 doesnt depict

of variables to monitor.

is that the target or optimal operating

regime is frequently at the edges of the

If you remember the days of pneumatics,

capacities and ratings of equipment.

a measurement came to the control house

panel as a pressure (3-15 PSI) in a single

Shutdown/Disposal

tube. If you wanted to alarm on that measurement, you procured a pressure switch,
calibrated it to actuate at the desired alarm

Trip Indication

Upset
Normal

Upset Indication

setting and wired the switch to a light box

Pre-Trip Warning

or annunciator. Pneumatic controls offered

an endearingly uncomplicated and direct

Target
Pre-Upset Warning

Off-Target Indication

linkage between the process variable and

the alarm system. Perhaps you dont find
it that endearing, but it did engender the
single-loop integrity wed like our modern
systems to replicate.

Source: ISA 18.2-2009/IEC 62682

Autonomous devices on a fieldbus segment solving function blocks have built-in

When we ask what the best indication of

alarming capability and can be configured

an abnormal situation is, alarm philoso-

to publish their measured variable and any

phies might suggest we consider sup-

alarm status relentlessly on a precisely

pressing or eliminating redundancies. For

synchronized, deterministic network. If my

example, a flow alarm, a motor status and

alarm philosophy compels me to config-

pressure indication may all have alarms

ure only the best indications for a single

configured that indicate a pump has

malfunction, it would be ideal if I could

tripped. In this simplistic example, the ra-

obtain the alarms in this manner with as

tionalization team might conclude, I dont

few intervening complications as possible.

Special Report: Trends in HMI/SCADA

www.controlglobal.com

Even if Im creatively implementing state-

The "best" indication

based or first-out suppression, I want to

invoke these measures if and only if the
measurements are timely and validated.
It would be nice, but in many implementations of fieldbus the DCS alarm system
isnt listening directly to the devices on
the bus. Its not uncommon for systems
to employ a grafted-on approach, where

needs bulletproof
reliability if we expect
it to alert an operator
who has hundreds or

all the fieldbus data is funneled into the

legacy controller infrastructure. A measurement used in a PID controller relies
on the PID block to generate alarms, so all
the intervening code and communication

thousands of variables
to monitor.

is necessary to ensure the alarm is annunciated. As systems move toward architectures where the I/O isnt closely held by
(i.e., wired to) the controllers, autonomous
and deterministic delivery of alarms would
be a measurable benefit.

John Rezabekis a process control specialist for ISP

Corp., Lima, Ohio. Email him atjrezabek@ashland.com

Special Report: Trends in HMI/SCADA

www.controlglobal.com

A lasting plan
for managing alarms
A well-written alarm philosophy defines procedures that allow your team to
get alarms under control now and for the long haul.
By Ian Nimmo and Stephen Maddox

larm management seems to be a never-ending task: company X hires consultant

Y to repair their badly designed and overloaded alarm management system for
$1 million, and then 18 months later the same company is searching for a different

vendor to help them with their poorly designed and overloaded alarm management system.
Many companies start out on the right track. They hear that standards and guidelines like
EEMUA 191 talk about a lifecycle model, and the first step in that model is an alarm philosophy document. So they pay someone to write an alarm philosophy document, but when its
complete, its useless to the alarm rationalization process because it doesnt tell how to address common issues that can save time and have a very big impact.
An alarm philosophy is a policy with rules and guidelines that can be enforced. An effective
philosophy document will guide the rationalization process and describe procedures that
will keep alarms under control on a continuing basis. The following are the key elements.

DEFINE AND PRIORITIZE ALARMS

An alarm philosophy document must define the difference between what is and what isnt
an alarm. In rationalization meetings, someone often convinces the team that it needs to
keep an alarm that clearly does not meet the criteria, so this high-level information must be
easily extracted, put on a wall poster and be constantly in front of the rationalization team.

Special Report: Trends in HMI/SCADA

www.controlglobal.com

GEOMETRY DETERMINES LIMITS

Figure 1: PPCLs CVE tool allows the rationalization team to see the operating envelope, how it
changes based on operations and how the alarms are placed against this variability. Credit: PPCL

Non-alarms that provide useful information

to keep equipment working within healthy,

for the operators are called notifications or

normal operating conditions. These are

user alerts. They are not alarms, and during

difficult to change and risk the loss of war-

an abnormal operating condition or emer-

ranty if changed.

gency, they can be silenced and ignored.

Some alarms are derived from the process
The philosophy should have a clear and

operating envelope. Initially, the envelope

practical method for the rationalization

is often undefined, so process engineers

team to prioritize alarms. It should be easy

use their best judgment to determine set

to use and help the team determine the

and trip points. After a period of operation,

time to respond to the alarm as well as cap-

historical trends can help determine more

ture the consequences of failing to respond

accurate limits. A new analytical tool called

in a timely manner.

CVE produced byPPCLdoes this using

Geometric Process Control (Figure 1).

SET APPROPRIATE LIMITS

Many alarms system fail for lack of an en-

The tool allows the rationalization team to

gineering solution for selecting alarm limits

see the operating envelope, how it changes

(setpoints). No one method can address

based on operations, and how the alarms are

this issue. Some alarms are recommended

placed against this variability. It allows users

by equipment providers and are designed

to identify Grade 1 product, then protect it

Special Report: Trends in HMI/SCADA

www.controlglobal.com

PV

Normal

Unack
Alarm

process response
without operator action

Ack and
Response

consequence
threshold

Return to
Normal

process response
to operator action

operator takes
timely action

alarm
setpoint

oper
ack
response process
delay
deadtime
delay

alarm

operator takes
latest action

Operator
Response Time

max oper
response
delay

process
deadtime

Time

Max Operator
Response Time

TIME TO RESPOND

Figure 2: Analysis of response must consider the maximum operator delay time. If the operator
doesnt respond within this time, the consequences will be realized. This is critical for determining the
required response time and setting alarm priority. Credit: User Centered Design Services Inc.

based on tight limits. This is very powerful

are consistent with control center alarm set-

and not just for identifying the alarm lim-

points, or a rationale for any offset. (Some

itsit can speed up a rationalization project

operators intentionally offset field and con-

significantly by clarifying alarm relationships

trol room alarm setpoints, so controllers are

and quickly identifying problems. The tool

alerted and can take action before critical

also opens the door to process improve-

field thresholds are breached.)

ments, equipment condition monitoring,

problem solving and process stewardship.

The philosophy document should describe

the difference between managed alarms

Procedures should include a formal process

and unmanaged alarms. The methodologies

to determine correct pressure, tempera-

and maintenance of safety-related alarms

ture, level and flow alarm setpoints for each

(managed) should be described and the

alarm priority. The process should accom-

minimum requirements defined. For exam-

modate the need to adjust pressure and

ple, the methodology may call for layers of

flow requirements based on the discovery

protection analysis (LOPA), clearly defining

of imminent integrity threats (e.g., discov-

safety layer or layers of protection, their

ery of immediate repair conditions during

contribution to safety, how its guaranteed

integrity assessments and notifications). It

through mean time between failure (MTBF)

should also verify that field alarm setpoints

and mean time to repair (MTTR), and what

Special Report: Trends in HMI/SCADA

www.controlglobal.com

testing is required to meet the standards.

to move. This is known as the process dead

time. After the valve has moved, it takes

One of the least understood elements of

additional time for the adjusted flow, level,

alarm management is the time to respond

temperature or pressure to return to normal

to the alarm (Figure 2). Once a variable

changed. This is called the process response

crosses the zone from normal into ab-

delay or time. When the process variable

normal operations, the clock is started

crosses the normal operating line, the alarm

and the steps are sequential. The alarm

is classified as return to normal.

parameter is set to alarm unacknowledged. The response time for the operator

Figure 2 highlights the maximum opera-

to acknowledge seeing the alarm, which

tor delay timeif the operator does not

often involves just silencing the alarm, is the

respond within this time, the consequences

acknowledge delay time. The alarm state

will be realized. This is critical for determin-

is then changed to acknowledged and the

ing the required response time and set-

operator is then theoretically in the state we

ting alarm priority. Much of this data can

define as detection.

be obtained by reviewing historical trends

and observing the alarm and the operator

In many cases, there is a delay from ac-

responses.

knowledging the alarm to continuing to

diagnose the cause and required correction.

RATIONALIZATION PROCEDURE

We call this the operator response delay.

Four topics are extremely important and

During this period, the operator uses the

should not be overlooked in the philosophy

alarm name descriptor to understand the

document:

alarm, and may have to use the HMI to determine which of several potential problems

Alarm management overview

has caused it. If the operator is unfamiliar

Alarm management lifecycle

with this alarm, he may have to refer to an

Alarm design principles

alarm response worksheet normally devel-

Alarm management rationalization

oped during the rationalization process.

methodology, including a risk matrix and

wall posters.

Once the operator selects a course of ac-

The rationalization team can further devel-

tion and makes adjustments, the process

op and implement them through the follow-

control system responds to the change

ing procedure:

request, but there is often a delay as the

signal goes out to the field and, for exam-

Appoint an alarm champion in charge of en-

ple, operates a solenoid that causes a valve

forcing the alarm philosophy and maintaining

Special Report: Trends in HMI/SCADA

www.controlglobal.com

the system. Plants often record lots of data

managed, these projects often provide a

and many have invested in alarm manage-

whole new batch of unrationalized alarms.

ment tools that provide statistical analysis including frequency of alarms, lists of

Companies often train only the operators

duplicate alarms, bad actors, frequency of

or the initial team. Computer-based training

alarm floods, and many more interesting

(CBT) must be developed for new employ-

facts about the performance of your alarm

ees along with a refresher training program

system. Most of the systems can provide

to keep people up to date, so as they go

weekly, monthly and annual reports that

onto an alarm management project, the

can be analyzed to determine the quality

foundational investment you made in the

of your alarm system and how it impacts

philosophy and rationalization methodology

operator performance.

is not wasted. The CBT should cover the use

of the rationalization procedure, wall charts

Designate a responsible person to manage

and a sample alarm rationalization exercise.

reporting and analysis, create action items,

follow up on maintenance activities to en-

Provide tools for managing alarms, enforc-

sure rationalization is in-line with standards

ing the philosophy and maintaining the

defined in your philosophy, and provide ex-

system. The important considerations when

ecutive summaries to management on per-

selecting an alarm management analysis

formance and progress. This person should

tool are:

ensure that alarm enforcement is working

and that suppressed or shelved alarms are
being managed as prescribed in the alarm
philosophy. All elements of the alarm management system in the philosophy should
be audited and continuously improved.

Can I get my historical data into it without too much difficulty?

Does it allow me to visualize and analyze
my problems?
Is it easy to generate the daily, weekly,
monthly, quarterly and annual reports I

Train operator, engineering, safety, automation, management and HR personnel. For

the philosophy to be successful, all plant

need based on my philosophy?

Is the software easy to maintain as my
system evolves?

personnel should be aware of the philosophy document. This includes engineering

Continue to have alarm review meetings

project managers, who often hire third

with the operators for the life of the alarm

parties to implement projects that often

system. At the end of the day, if the opera-

involve adding new alarms. If not correctly

tors across all shifts dont take ownership

Special Report: Trends in HMI/SCADA

10

www.controlglobal.com

and keep up to date on what has been fixed

and what progress is being made, the project will fail. They have to be able to see the
benefits and get excited that this is something worth investing money and their time.
Most projects like this fail due to one of two
things: lack of money or lack of resources to

Auto-shelving can have a

big impact. For example,
if you detect that a unit
operation such as a

ensure the effectiveness of the rationalization team. We have been on many projects

compressor has tripped,

where only one or two operators are provided. Part way through the week, someone
gets sick and they have to go back, so they
can cover night shift, and youre lost.
To ensure success, the project should be
set up just like any other project that the
company takes on. It should have goals; it
should have identified and confirmed re-

the associated alarms can

be shelved as they are
superfluous to the
operator after the trip.

sources; it should have a project plan; and

opportunities and potential problem areas
should be identified upfront. Progress and

address the more difficult issues such as

progress reports should be trackedits

alarm floods. Its most important to first

important that individuals are given re-

follow the rules and not skip any of the re-

sponsibility and held accountable like on

quired steps: document every alarm, filling

any other project.

in the alarm response sheet discussed earlier. Where possible, integrate it into a pull-

Implement dynamic alarming to manage

down menu on Level 3 of the HMI graphics.

upset conditions where alarm floods are

The result will be an improvement in the

inevitable. Many companies struggle over

alarm frequency.

the concepts of dynamic alarming, and are

confused about when to do it. Some do the

One alarm tool manufacturer believes you

basic alarm configuration and solve bad

should begin by grouping alarms around

actors, and when they run out of steam,

unit operations and set the alarms based

they turn to dynamic alarm techniques to

of operating modes; i.e., startup, normal

Special Report: Trends in HMI/SCADA

11

www.controlglobal.com

operations, product change and shutdown.

with the operators for the life of the

This will set up preconfigured alarm states

alarm system.

and dynamically suppress or auto shelve

Implement dynamic alarming to manage

the alarms based on plant state. However,

upset conditions where alarm floods are

automatically detecting plant state can be

inevitable.

a challenge, so there has to be an operator

override or operator instruction to confirm

MAKE ALARMS MANAGEABLE

that plant state.

The objective of an alarm philosophy is to

control daily alarms and to reduce the size

Auto-shelving can have a big impact. For

and frequency of alarm floods. When the

example, if you detect that a unit operation

system performs effectively, the opera-

such as a compressor has tripped, the as-

tor workload is not burdened by the alarm

sociated alarms can be shelved as they are

system, and we can consider alarms to be

superfluous to the operator after the trip.

within normal operations.

PUT THE PHILOSOPHY TO WORK

Our ultimate goal is to be able to demon-

The alarm philosophy document is a policy,

strate that the operator has the capacity to

with rules and guidelines that should be

detect, diagnose and respond to alarms in

enforced. To get the desired results:

a specified and timely manner to protect

the plant, personnel and community from

Perform a staffing study to make sure

you have the right number of operators

the consequences the alarms are designed

to prevent.

and check to see if the workload is balanced.

Appoint an alarm champion, someone in
charge of enforcing the alarm philoso-

Ian Nimmo is the owner and Stephen Maddox is a human factors design consultant
atUser Centered Design Services, Inc.

phy and maintaining the system.

Train the operators, engineers, safety,
automation, managers and HR, they all
need to know and understand the philosophy.
Provide tools for managing alarms, enforcing the philosophy, and maintaining
the system.
Have continued alarm review meetings

Special Report: Trends in HMI/SCADA

12

www.controlglobal.com

Visible data means

operations excellence
Coca-Cola and GE Lighting Use GE Workflow, Historian, iFix HMI SCADA
and Portal Software to Streamline Lighting and Refreshment Production

eeing is believing, and bringing operational information into the light makes it usable by everyone in an enterpriseallowing them all to make faster, more productive decisions.

This enhanced awareness was especially useful atGE Lighting, which reinvented itself to
transition from manufacturing millions of homogenous, incandescent light bulbs to developing tailored, LED lighting solutions for its many customers.
Similarly, Coca-Cola gained new insights to help further optimize production, while also
taking advantage of cloud-based data gathering, analysis and protection. These experiences were described by Craig Platt, IT director at GE Lighting, and Ioan Batran, automation engineering director at Coca-Cola Refreshments (CCR), in their presentation, Operational Excellence: Improve Data Visibility Across the Enterprise at GEs User Summit in
Orlando, Florida.
Incandescent bulbs were our bread and butter, but now its going to be unlawful to
manufacture them. Fortunately, were prepared on the LED side, but we also had to
combine a 75-year-old business with what is basically a start-up organization, said
Platt. Where lighting used to be a replacement business at the back of the supply chain,
we had to move further up into the supply chain because LED is a fixtures-and-solutions

Special Report: Trends in HMI/SCADA

13

www.controlglobal.com

We can compare the

performance of plants, lines
and even individual machines.
Coca-Cola Refreshments Ioan Batran
on the companys 70-plant deployment
of KPI dashboards based on GE technology.

business. So instead of making 3.5 million

others, said Platt. In fact, our mini-market

of the same bulb per day at one plant, we

picking is done with wearable, on-wrist PCs

had to move to configuring LED solution

that are all controlled by our overall MES

for individual users. We also had to reduce

system. Now customers can see their units

our order-to-ship (OTS) cycle time from

as theyre manufactured, and this gives ev-

30 days to 10 days and improve our OTS

eryone more confidence.

fill rate from 70% to 90%.

Meanwhile, though its been using GE softWith help from its reorganization and GEs

ware for many years, Batran reported that

Workflow software, Platt reported that GE

Coca-Cola revamped its application at 70

Lighting streamlined its assembly and OTS

manufacturing facilities. We focused on

processes, reconfigured and integrated

reducing complexity in our supply chain,

its manufacturing lines, improved its raw

pushed back against inefficient custom-

material flows and implemented a visual

ization, did a lot of root cause analysis

material management system. We created

and concentrated on useful action, said

a supermarket and mini-market approach,

Batran. In our line information systems

used Kanban cards and flow, adopted on-

(LIS), we sought to better track line as-

demand label printing and got down to 10

sets, increase efficiency, reduce equip-

days for one product line and then added

ment losses and downtime, and improve

Special Report: Trends in HMI/SCADA

14

www.controlglobal.com

our decisions. Our LIS basically tells us if

by identifying trends, patterns and root

were meeting our promises.

causes. The reviews help us implement

better management routines, which need

Batran added that all levels at Coca-Colas

to be backed up by appropriate levels of

production facilities need data from their

change management, added Batran. You

LIS, so simplifying their software and stan-

also have to secure leadership support and

dardizing their control architectures makes

stakeholder buy-in.

them easier to deploy and support. This

70-plant renovation began by updating the

Views available on Coca-Colas LIS-based

LIS server at each facility with GE Histo-

system include plant overviews, production

rian, iFix HMI SCADA and Portal dashboard

line layouts, historical machine status, short-

software. These solutions allow each LIS to

interval control reports, enterprise-level

deliver real-time and historical data, and

displays and others. These displays can be

then push reported KPIs to an SQL enter-

presented on PCs, tablet PCs and smart-

prise database via Sync Agent software

phones. The enterprise LIS even lets us see

and Microsoft Azure to Coca-Colas cloud-

selected KPIs on multiple lines, so we can

based server.

compare the performance of different machines, added Batean. Next steps include

We started this program [in 2013], and

implementing more paperless capabilities

now we can compare the performance of

and autopilot management routines, as well

plants, lines and even individual machines,

as improving overall management routines,

explained Batran. LIS management rou-

coaching and auditing.

tines and practices measure and manage

our manufacturing processes to maintain
and improve performance, said Batran.
Were also implementing paperless guidance, so we can further un-cloud our crystal
ball and focus our decisions more precisely
on what we need to do.
These improvements allow the LIS to
generate tactical reviews that let users
respond to specific operational events, and
produce strategic reviews that let them
address continuous improvement efforts

Special Report: Trends in HMI/SCADA

15

www.controlglobal.com

Too many alarms?

Its time for SuperSCADA!
By Alicia Bowers, GE

hats the biggest challenge

would win with so much of the experience

our customers face on the

workforce retiring. By the way, regulatory

plant floor? Ding ding ding

requirements came in lowest.

thats right, managing alarms.

But, too many alarms as the overwhelming
Recently, we held a webinar for customers

answer? Sure, alarms were a challenge with

on how to increase operator productivity.

traditional HMI/SCADA systems, but lets

We polled the audience about their great-

face itevery organizationcanmanage

est challenges. Here was the list of pos-

alarms today with modern technology.

sible responses:
Todays SCADA is not just monitoring and
Too many alarms

visualization, with alarms rolling in. Ac-

Not enough operators / budget

cording to GE SCADA expert Prasad Pai,

Errors during manual processes

most SCADA systems are still configured

High turnover of workers / lack of skills

as HMIsa display to indicate status. How-

Complexity of processes

ever, for operators, a SCADA is their Deci-

Regulatory requirement

sion Support system. If viewed that way,

your SCADA should be the foundation of

Too many alarms is still the biggest chal-

an efficient operation.

lenge! I thought high turnover of workers

Special Report: Trends in HMI/SCADA

16

www.controlglobal.com

What can you do today? Its time to call on

available to you, including how to under-

the power of your SuperSCADA and end

stand the challenges that overwhelming

those alarm problems!

alarms aggravate. For now, here are two

golden rules to think about:

Here are three ways your mild-mannered

SuperSCADA can help you, right now:

Dont allow technology to complicate

the operator experience.

Use analysis tools to reduce the num-

Use technology to improve the opera-

ber of alarms that occur. Your GE HMI/

tor experience and manage alarms for

SCADA has logging and analysis capa-

greater efficiency.

bilities to not only help you reduce the

With just a glance, operators today

number of alarms but also to deliver

should be able to recognize which in-

on business goals. As an example, one

formation requires their attention and

of our pharmaceutical customers used

what it indicates. If you are a GE HMI/

his iFIX system to reduce costs for his

SCADA customer, you already have a

business by $5 million a yearand that

SuperSCADA. You can enable smarter

was seven years ago.

operators with faster alarm detection

Drive response on the alarms that mat-

and understanding today.

ter. With GE software, you have task

management capabilities, allowing you

Want to learn more?Click here to see

to trigger the right actions, at the right

whats part of GEs HMI/SCADA. And, if

time, by the right person, in the right

youre not sure where to begin, reach out.

place based on alarms. Thats a lot of

GE has been in this business and knows

rightsare you using this capability?

SCADAwere here to help. We might bring

Leverage HMI/SCADA design best

you the best SuperSCADA technology, but

practices. How old are your screens?

we want YOU to be the superhero in your

Be sure you are usingthe latest in

business, delivering phenomenal results,

standardsfor screen design to improve

every day.

situational awareness. Also, learn

about the standards for categorizing
alarms.
There are many other techniques for managing alarms. Well make more information

Special Report: Trends in HMI/SCADA

17

www.controlglobal.com

Understanding and
minimizing HMI/SCADA
system security gaps
By Prasad Pai, GE Digital

eing at the heart of an operations data visualization, control and reporting for operational improvements, HMI/SCADA systems have received a great deal of attention, especially due to various cyber threats and other media-fueled vulnerabilities.

The focus on HMI/SCADA security has grown exponentially in the last decade, and as a result, users of HMI/SCADA systems across the globe are increasingly taking steps to protect
this key element of their operations.
The HMI/SCADA market has been evolving over the last 20 years with functionality, scalability and interoperability at the forefront. For example, HMI/SCADA software has evolved
from being a programming package that enables quick development of an application to
visualize data within a programmable logic controller (PLC) to being a development suite
of products that delivers powerful 3-D visualizations, intelligent control capabilities, data
recording functions, and networkability.
With HMI/SCADA systems advancing technologically and implementations becoming
increasingly complex, some industry standards have emerged with the goal of improving
security. However, part of the challenge is knowing where to start in securing the entire
system.

Special Report: Trends in HMI/SCADA

18

www.controlglobal.com

The purpose of this paper is to explain

with the advancements in automation

where vulnerabilities within a HMI/SCA-

hardware and industrial communications,

DA system may lie, describe how the

have made control systems multi-layered,

inherent security of system designs mini-

complex and susceptible to threats. An

mize some risks, outline some proactive

HMI/SCADA systems level of security is

steps businesses can take, and highlight

best understood if broken down into two

several software capabilities that compa-

major elements: Communication and Soft-

nies can leverage to further enhance their

ware Technology.

security.

COMMUNICATION
SCADA SECURITY IN CONTEXT

Communication advancements have

The International Society of Automation

made large-scale HMI/SCADA system

(ISA) production model demonstrates the

implementations successful for many in-

layered structure of a typical operation,

dustry applications. There are two levels

and shows that HMI/SCADA security is

of communication that exist within

only one part of an effective cyber-

the systeminformation technology

ERP

security strategy. These layers of

(IT) and the field, which have no-

automated solution suites share

MES

table security level differences.

SCADA/HMI

IT Components of an

data, and wherever data is

shared between devices,
there is a possibility for

HMI/SCADA system are

unauthorized access
and manipulation
of that data. This

HMI/SCADA layer,

allow for easy trou-

Sensor and Actuator

white paper concentrates on the

modular, not only to

PLC/DCS

Component vulnerabilities within

an HMI/SCADA system

bleshooting but
also to distribute
the computing
load and elimi-

but unless other potential weaknesses at

nate a single point of failure. It is not un-

other levels are covered, the operation as

common to have multiple thick, thin, web

a whole remains vulnerable.

and mobile runtime clients connected to

the main HMI/SCADA server hub over an

To minimize existing security gaps, compa-

internal Ethernet-based network; however

nies need to first understand where poten-

in some cases, systems may use external

tial vulnerabilities typically lie within the

leased lines, modems, wireless, cellular, or

system. Powerful software features, along

satellite technologies as well.

Special Report: Trends in HMI/SCADA

19

www.controlglobal.com

The main HMI/SCADA server hub also

SOFTWARE TECHNOLOGY

consists of multiple networked servers to

Software over the years has largely become

distribute the load, ensure uptime, and

feature-bloated as companies keep adding

store the mass amount of data. With these

new capabilities while maintaining all of the

components all networked in some way,

existing ones, increasing the complexity of

they use standardized common protocols

software security. There are two separate

to transfer dataall of which are largely

but dependent software technologies in the

unencrypted, requiring weak or no au-

system, the HMI/SCADA software and the

thentication.

Platform Operating System, which have distinct differences when it comes to security.

Field HMI/SCADA implementations

frequently consist of a number of widely

HMI/SCADA Software - Most HMI/SCADA

dispersed remote sites with a control or

software installations have either external

data gathering function, all connected to

network connections or direct Internet-

a central control and monitoring point.

based connectivity to perform remote

Data has to be passed between the control

maintenance functions and/or connect up

room and the remote terminal units (RTUs)

to enterprise systems. While these types of

over a network

connections help companies reduce labor

costs and increase the efficiency of their

(which may be fiber optic, telephone or

field technicians, it is a key entry point for

wireless), and the protocols for passing this

anyone attempting to access with a mali-

data have frequently been developed with

cious intent.

an emphasis on reliability and ease of implementation rather than security.

Platform Operating System Operating

systems that employ elements of consumer

Modern computing facilities have made se-

or open source operating systems such

cure practical encryption almost impossible

as Windows Server, Linux and Unix vari-

to defend against a determined hacker, so

ants are increasingly popular since they

communications between devices need to

help reduce costs. This trend toward open

employ several layers of defense with the

technologies has made proprietary custom,

primary aim to make access to the data

closed, highly secure systems a direction of

difficult, and detect if the data has been

the past, but it increases the risks.

compromised.

Special Report: Trends in HMI/SCADA

20

www.controlglobal.com

Also, due to the fact that HMI/SCADA

Engineers design systems with intention-

systems are complex and contain multiple

ally broken automated chainsmeaning

layers of technology, even a simple system

in some cases functions require physical

patch is a major undertaking that requires

confirmation prior to the software per-

planning, funding and time. The risk ele-

forming commands and in other cases, the

ments are also substantial because many

SCADA software only does a portion of the

systems now rely solely on their HMI/SCA-

command, requiring one or many additional

DA system for visualization, data record-

manual steps to execute the function. Inher-

ing and some control elements. And to this

ent system security is best surmised at the

point, some companies hold back on patch-

software and hardware levels.

es, service packs and upgrades, while others choose not to apply any new patches,

Software: With many viewing HMI/SCADA

employing a it works, dont touch it policy.

software as a visualization tool that pro-

Furthermore, software patches have gener-

vides a means for dynamic operator input

ally been developed to cover for a security

and visualization as a flexible information

breach that has already occurred.

terminal, the reality is that HMI/SCADA software capabilities are much more exhaustive.

Some would say that even if companies

When elements are added such as control

could keep their platforms current, with the

and logic capabilities, system engineers

fast pace of consumer-based operating sys-

must examine the risk from a potential

tems and large number of system exploits,

failure standpoint and the extent of control

platform operating systems are the single

that is allowed without being in line of sight

largest security risk in the system.

of the area being controlled.

THE INHERENT SECURITY

OF SYSTEM DESIGNS MINIMIZES
SOME RISKS

Software is also developed from the opera-

The good news is that some vulnerability is

the operator is controlling with intent. While

minimized by the nature of system design

this doesnt necessarily bring additional

and HMI/SCADA software design, whereby

security from external intruders, it does pro-

the fundamental principles and canons of

vide enhanced protection against mistakes.

engineering mandate safe and reliable sys-

For example, the select before operate

tems. This ensures a basic level of security

design philosophy is typically used in HMI/

to protect against an intruder.

SCADA applications, which requires the op-

tors perspective and uses company guidelines throughout the application to ensure

Special Report: Trends in HMI/SCADA

21

www.controlglobal.com

erator to select an item on the screen, pull

Taking into account the general design

up the controlling elements, operate the

rule that system engineers apply for all

item, and finally confirm to send the com-

levels of a system can be surmised by if

mand. While this may seem like a simple

a single point of failure exists, protect it

ideology or a drawn out process, this in-

or provide secondary means. Therefore,

tentional design ensures that an operators

design philosophies typically drive a holis-

actions are deliberate as opposed to a hasty

tically safe and secure environment, which

reaction to an urgent situation.

can severely impede an intruders ability

at the HMI/SCADA level to impact the

Hardware: At this level, design engineers

entire system.

employ many techniques to ensure safe

control, either physically or by the HMI/

Be proactive: Enhance your security with

SCADA software. Thousands of individual

software capabilities

devices and RTUs can exist in a system and

are typically implemented with an area-

However, even the safest system design

based manual or automatic control selec-

and industry standards cannot secure a

tion; field technicians use manual control

system 100%, and therefore, companies

to perform maintenance or to address a

should not rely on them wholly to protect

software failurelocking out the software

their systems.

control and establishing local control.

Instead, they should take a proactive apAdditionally, when engineers design this

proach to enhancing security, and a good

level of the system, many hardware-based

starting point is knowing what technologies

fail-safes are built in the design such as

are available to help them best meet their

fusing or hardwire interlock logic to ex-

needs.

amine the local situation, so when components are commanded by the HMI/SCADA

Selecting a trusted solution provider with

software, there is a hardware level of

deep expertise, experience and advanced

checks to ensure it can be executed. This

technologies is also critical. Off-the-shelf

protects the system from unsafe or even

HMI/SCADA solutions such as GE Digitals

incorrect software control. Furthermore,

Proficy software have successfully helped

many critical applications use triple and

companies minimize their security gaps

quad redundant logic controllers to ensure

with a broad range of security-based soft-

continuous operations.

ware technologies, including:

Special Report: Trends in HMI/SCADA

22

www.controlglobal.com

Biometrics When bio-security elements

SCADA software products now have built-

are integrated to the system, customers

in features that limit the allowable client

can program their system to require finger

connections to known computers and

scans to perform specific functions such

use integrated data encryption for client

as switching on and off the grids main

communications. This protective capabil-

switchgears, which ensures that the ap-

ity eliminates the possibility of a hacker

propriate person be physically present to

simply loading the HMI/SCADA client and

execute the order.

connecting over the network.

This type of integration eliminates the pos-

Domain Authentication To leverage

sibility of a hacker performing the same

complex alphanumeric passwords at the

operation virtuallyreducing the overall

HMI/SCADA level, some software packages

potential impact and enhancing the overall

offer an add-on capability that introduces

system security.

Windows Domain Authentication security

integration. For example, GE features an

Electronic Signature Many view this op-

application add on that maps group mem-

tion as a simple reporting tool, however the

berships to its Proficy HMI/SCADA software

features are much more comprehensive.

roles and when integrated, the users and

For example, it can introduce authentication

subsequent passwords are managed at the

potential at the command level to verify

IT level.

the user performing the operation with a

username and password as well as a sepa-

This allows for the HMI/SCADA application

rate authentication, typically a manager, for

to leverage existing group IT-level policies,

verification.

which are typically very stringent and can

exceed industry requirements.

The information is then stored in a system

some customers also choose to integrate

FUNDING IN TODAYS
BUSINESS CLIMATE

this feature with biometrics to eliminate the

Improving an overall systems security can

use of a single, widely known username and

be a costly endeavor, and companies must

password.

find the right balance between spend,

audit trail that can be recalled in the future;

design and process to make their systems

Authorized Connections & Client/Server

safe. This is especially true as companies

Data Encryption Many off-the-shelf HMI/

face increasing cost reductions mandated

Special Report: Trends in HMI/SCADA

23

www.controlglobal.com

in todays challenging economic envi-

make it difficult to completely secure

ronment. In response, off-the-shelf HMI/

ones operation. As discussed in this pa-

SCADA vendors have developed industry

per, the inherent safe design of most HMI/

solution packs that include specifically

SCADA systems offers some protection,

tailored tools to help reduce development

but they are by no means enough to fully

and overall system costs.

protect systems. Thats why its important for companies to better understand

For example, GE Digitals iPower, Water, &

where vulnerabilities exist within their

OEM Solutions Packs offers complete, pre-

systems and to take a proactive approach

developed, HMI/SCADA drag-and-drop

to address those susceptible areas. Off-

elements, graphics, toolsets and configura-

the-shelf HMI/SCADA vendors offer

tion tools that significantly reduce both the

software solutions with security-based

initial and ongoing costs associated with

capabilities, which can help companies

HMI/SCADA software. Companies can then

enhance the protection of their critical

reroute the resulting cost savings into ad-

infrastructure assets and reduce costs for

ditional security software and hardware to

a sustainable competitive advantage.

augment the inherent safety of their systemsreducing overall vulnerability.

GE Digital Platforms Contact Information

Americas: 800-433-2682 or 434-978-5100

The cost of implementing an HMI/SCADA

Global regional phone numbers are listed by location at

security policy should also be evaluated

www.ge-ip.com/contact www.ge-ip.com

against the risk of a security breachin

terms of reputation, liability and intellectual
property.
Companies may discover a proactive approach actually reduces overall costs by ensuring business continuity when compared
to the potential operational and financial
loss that can occur due the exposure of an
unprotected system.
The vulnerabilities of HMI/SCADA systems pose a serious threat, and the complexity of multi-layered technologies

Special Report: Trends in HMI/SCADA

24

GE Digital

DRIVE SMART
OPERATOR DECISIONS
With just a glance, operators can recognize which
information requires attention, what it indicates, and
the right actions to take. Thats the power of GEs high
performance HMI/SCADAenabling operators to transform
business through increased efficiency and reduced costs.

Make the best decisions faster.

ge.com/digital/hmi-scada